mirror_zfs/module
Richard Yao f33b298346 Illumos #15286: do_composition() needs sign awareness
Authored by: Dan McDonald <danmcd@mnx.io>
Reviewed by: Patrick Mooney <pmooney@pfmooney.com>
Reviewed by: Richard Lowe <richlowe@richlowe.net>
Approved by: Joshua M. Clulow <josh@sysmgr.org>
Ported-by: Richard Yao <richard.yao@alumni.stonybrook.edu>

Illumos-issue: https://www.illumos.org/issues/15286
Illumos-commit: f137b22e73

Porting Notes:

The patch in illumos did not have much of a commit message, and did not
provide attribution to the reporter, while original patch proposed to
OpenZFS did, so I am listing the reporter (myself) and original patch
author (also myself) below while including the original commit message
with some minor corrections as part of the porting notes:

In do_composition(), we have:

size = u8_number_of_bytes[*p];
if (size <= 1 || (p + size) > oslast)
	break;

There, we have type promotion from int8_t to size_t, which is unsigned.
C will sign extend the value as part of the widening before treating the
value as unsigned and the negative values we can counter are error
values from U8_ILLEGAL_CHAR and U8_OUT_OF_RANGE_CHAR, which are -1 and
-2 respectively. The unsigned versions of these under two's complement
are SIZE_MAX and SIZE_MAX-1 respectively.

The bounds check is written under the assumption that `size <= 1` does a
signed comparison. This is followed by a pointer comparison to see if
the string has the correct length, which is fine.

A little further down we have:

for (i = 0; i < size; i++)
	tc[i] = *p++;

When an error condition is encountered, this will attempt to iterate at
least SIZE_MAX-1 times, which will massively overflow the buffer, which
is not fine.

The kernel will kill the loop as soon as it hits the kernel stack guard
on Linux systems built with CONFIG_VMAP_STACK=y, which should be just
about all of them. That prevents arbitrary code execution and just about
any other bad thing that a black hat attacker might attempt with
knowledge of this buffer overflow. Other systems' kernels have
mitigations for unbounded in-kernel buffer overflows that will catch
this too.

Also, the patch in illumos-gate made an effort to fix C style issues
that had been fixed in the OpenZFS/ZFSOnLinux repository. Those issues
had been mentioned in the email that I originally sent them about this
issue. One of the fixes had not been already done, so it is included.
Another to collect_a_seq()'s arguments was handled differently in
OpenZFS. For the sake of avoiding unnecessary differences, it has been
adopted. This has the interesting effect that if you correct the paths
in the illumos-gate patch to match the current OpenZFS repository, you
can reverse apply it cleanly.

Original-patch-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Reported-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Co-authored-by: Dan McDonald <danmcd@mnx.io>
Closes #14318
Closes #14342
2023-01-19 12:50:42 -08:00
..
avl AVL: Remove obsolete branching optimizations 2022-07-26 10:10:37 -07:00
icp Fix possible NULL pointer dereference in sha2_mac_init() 2022-12-01 12:39:42 -08:00
lua Lua: Fix bad bitshift in lua_strx2number() 2022-12-01 12:39:44 -08:00
nvpair Update checkstyle workflow env to ubuntu-20.04 2021-12-08 13:27:56 -08:00
os FreeBSD: catch up to 1400077 2023-01-19 12:50:42 -08:00
spl Cleanup linux module kbuild files 2020-06-10 09:24:15 -07:00
unicode Illumos #15286: do_composition() needs sign awareness 2023-01-19 12:50:42 -08:00
zcommon dsl_prop_known_index(): check for invalid prop 2022-11-08 10:16:21 -08:00
zfs Zero end of embedded block buffer in dump_write_embedded() 2023-01-19 12:50:36 -08:00
zstd module: zstd: check we don't leak symbols; regenerate symbol map 2022-05-16 15:48:21 -07:00
.gitignore FreeBSD: Ignore symlink to i386 includes 2022-09-28 10:35:13 -07:00
Kbuild.in Add zstd support to zfs 2020-08-20 10:30:06 -07:00
Makefile.bsd FreeBSD: Silence clang unused-but-set-variable 2022-06-15 11:27:28 -07:00
Makefile.in Add support for $KERNEL_{CC,LD,LLVM} variables 2022-02-16 17:58:55 -08:00